<!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "type::bug" label: - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=type::bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary <!-- Summarize the bug encountered concisely. --> I first posted my issues [here](https://forum.gitlab.com/t/docker-installation-numerous-failures/133879) before I found this reporting mechanism. I am facing significant issues getting the latest Docker image to run. I've had numerous permission issues: * While the container creates the necessary users, it doesn't create the directories for those users * When the recipes run, they attempt to create the necessary folder structure, but they create each folder as `root` and then attempt to set permissions using the target user: the second phase of the folder creation fails, because the target user doesn't have access to the folders created by `root` * `/assets/update-permissions` is not helpful, because it skips any folders that don't exist, and the container is only creating and failing on one folder at a time * I've attempted to fix the problem by injecting a script I wrote, which ensures all users exist and the paths from `/assets/setup` have the proper permissions. I mount the script to a custom directory and invoke it using the `GITLABS_PRE_RECONFIGURE_SCRIPT` env; however, this has also been ineffective * The `/assets/init-container` script creates permissions issues even after I fix them (manually or with my script) because it resets permissions that break access for the other users on the container. Specifically, it resets the permissions on /var/opt/gitlab to `root` and then the other users (`git` and `git-psql` so far, from my debugging) can't access their required subfolders. I've had to overcome this by setting ACLs on the host to force the other users to have access after the init recipe breaks the permissions. * The container waits nearly a full 10 minutes for a logrotate task to timeout during init, which has greatly slowed my troubleshooting efforts. Mind you, this is a fresh install of the container with no data: I have no idea why a logrotate would bog the init process down by 10 minutes I've put over 12 hours into trying to run this container. I'm not sure if I'm doing something wrong, but this container seems completely broken. Please help. ### Steps to reproduce <!-- Describe how one can reproduce the issue - this is very important. Please use an ordered list. --> * Follow the [Install GitLab in a Docker container](https://docs.gitlab.com/install/docker/installation/) documentation * Also incorporated [Configure SSL](https://docs.gitlab.com/omnibus/settings/ssl/#configure-a-reverse-proxy-or-load-balancer-ssl-termination) instructions into my Compose file * `docker compose up -d` ### Example Project <!-- If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report. If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version. --> N/A: Can't even get container to run successfully ### What is the current *bug* behavior? <!-- Describe what actually happens. --> The container fails during its init process with various errors. They seem to be mostly related to rejected access; however, the init scripts don't seem to incorporate any verification to safely proceed, so they assume variables are set and use them to execute additional commands that end up failing with syntax errors. If you review my [forum post](https://forum.gitlab.com/t/docker-installation-numerous-failures/133879), you'll see snippets of the types of errors I get -- namely the syntax error from the `stat` command, because there's no error checking on `$(readlink -f <path>)` before injecting that return value (which resolves to nothing when the path is inaccessible) to `stat`. ### What is the expected *correct* behavior? I'd like the container to ... run, ideally. <!-- Describe what you should see instead. --> ### Relevant logs and/or screenshots <!-- Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise. --> More information in [my forum post](https://forum.gitlab.com/t/docker-installation-numerous-failures/133879), but many errors like this: ``` Recipe: gitaly::git_data_dirs * storage_directory[/var/opt/gitlab/git-data/repositories] action create * ruby_block[directory resource: /var/opt/gitlab/git-data/repositories] action run================================================================================ Error executing action `run` on resource ‘ruby_block[directory resource: /var/opt/gitlab/git-data/repositories]’ ================================================================================Mixlib::ShellOut::ShellCommandFailed ------------------------------------ Expected process to exit with [0], but received ‘1’ ---- Begin output of stat --printf=‘%U’ $(readlink -f /var/opt/gitlab/git-data/repositories) ---- STDOUT: STDERR: stat: missing operand Try ‘stat --help’ for more information. ---- End output of stat --printf=‘%U’ $(readlink -f /var/opt/gitlab/git-data/repositories) ---- Ran stat --printf=‘%U’ $(readlink -f /var/opt/gitlab/git-data/repositories) returned 1 ``` Errors like this occur for several of the recipes as they attempt to create their own folder structures. ### Output of checks <!-- If you are reporting a bug on GitLab.com, uncomment below --> <!-- This bug happens on GitLab.com --> <!-- and uncomment below if you have /label privileges --> <!-- /label ~"reproduced on GitLab.com" --> <!-- or follow up with an issue comment of `@gitlab-bot label ~"reproduced on GitLab.com"` if you do not --> #### Results of GitLab environment info <!-- Input any relevant GitLab environment information if needed. --> Not sure if this section is applicable? I'm attempting to use the Docker image. <details> <summary>Expand for output related to GitLab environment info</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`) </pre> </details> #### Results of GitLab application Check I can't get far enough into the boot process of the container to run these. <!-- Input any relevant GitLab application check information if needed. --> <details> <summary>Expand for output related to the GitLab application check</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`) (we will only investigate if the tests are passing) </pre> </details> ### Possible fixes <!-- If you can, link to the line of code that might be responsible for the problem. --> ### Patch release information for backports If the bug fix needs to be backported in a [patch release](https://handbook.gitlab.com/handbook/engineering/releases/patch-releases) to a version under [the maintenance policy](https://docs.gitlab.com/policy/maintenance/), please follow the steps on the [patch release runbook for GitLab engineers](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/engineers.md). Refer to the [internal "Release Information" dashboard](https://dashboards.gitlab.net/d/delivery-release_info/delivery3a-release-information?orgId=1) for information about the next patch release, including the targeted versions, expected release date, and current status. #### High-severity bug remediation To remediate high-severity issues requiring an [internal release](https://handbook.gitlab.com/handbook/engineering/releases/internal-releases/) for single-tenant SaaS instances, refer to the [internal release process for engineers](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/internal-releases/engineers.md?ref_type=heads). <!-- If you don't have /label privileges, follow up with an issue comment of `@gitlab-bot label ~"type::bug"` -->