The docker images for gitlab-ce and gitlab-ee start workhorse with incorrect socket ownership
Hello
I was hit by the problem described at #300119 (closed) which however is not a documentation problem, as far as I can tell ( see my reasoning below ).
The plan is to have a self-hosted gitlab instance, running as docker container in a CentOS 7 which itself is a VM with 24 processors and as much RAM as needed ( 4 GB for a start ). Docker CE is installed and in use for cca 1 year. I followed almost ad litteram the instructions from https://docs.gitlab.com/ee/install/docker.html#install-gitlab-using-docker-engine in order to install gitlab-ce ( in this moment I use an image downloaded a couple of hours ago). The only change I made was to publish different ports because 80 and 443 are already used; I started the container using: docker run --detach --rm --hostname gitlab.ourdomain.tld --publish 8443:443 --publish 8000:8000 --publish 8022:22 --name gitlab --volume $GITLAB_HOME/config:/etc/gitlab:Z --volume $GITLAB_HOME/logs:/var/log/gitlab:Z --volume $GITLAB_HOME/data:/var/opt/gitlab:Z --shm-size 256m gitlab/gitlab-ce:latest
Via docker exec gitlab editor gitlab.rb I adjusted external_url="http://gitlab.ourdomain.tld:8000" and restarted the container.
However even 24hrs later the entry page was still displaying "502 Whoops, GitLab is taking too much time to respond.". Digging in the logs exhibited the following error: /srv/gitlab/logs/nginx/gitlab_error.log:2022/01/09 22:56:40 [crit] 559#0: *11 connect() to unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket failed (13: Permission denied) while connecting to upstream, client: 10.80.0.130, server: gitlab.ourdomain.tld, request: "POST /users/sign_in HTTP/1.1", upstream: "http://unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket:/users/sign_in", host: "gitlab.ourdomain.tld:8000", referrer: "http://gitlab.ourdomain.tld:8000/users/sign_in" which repeated ad nausea. After some googling I reached a page which recommended using docker exec gitlab chmod o+w /var/opt/gitlab/gitlab-workhorse/sockets/socket
Leaving aside the broad permission applied above, the problem was indeed temporarily fixed but it reappears after each restart. The permissions for docker recommended at https://docs.gitlab.com/ee/install/docker.html#install-gitlab-using-docker-engine are already in place:
#getfacl $GITLAB_HOME
getfacl: Removing leading '/' from absolute path names
# file: srv/gitlab
# owner: root
# group: root
user::rwx
group::r-x
group:docker:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:docker:rwx
default:mask::rwx
default:other::r-xIf I made an obvious error and this is not a bug, please accept my apologies and point me to the correct fix. If not... what should be done in order to fix this problem ?