Non-packaged Redis socket permission issues
I have strange permission issues with gitlab-omnibus when using a non-packaged redis server.
It comes down to this: When I set my socket permission in /etc/redis/redis.conf to 770 and restart the server, the CPU load by gitlab goes to 100% and gitlab presents the deployment page. However When I set the permission to 777, everything works fine.
I have made git a member of the redis group and I've even gone as far as trying to add gitlab-www, gitlab-redis and gitlab-psql to the redis group.
I also use the same redis instance for owncloud (www-data) without issues.
Here is some other information:
Versions:
Ubuntu 15.10
GitLab 8.4.0
GitLab Shell 2.6.10
GitLab API v3
Git 2.6.2
Ruby 2.1.8p440
Rails 4.2.4
Redis server 3.0.3
ls -lh /var/run/redis/:
-rw-r--r-- 1 redis redis 6 Jan 23 18:21 redis-server.pid
srwxrwx--- 1 redis redis 0 Jan 23 18:21 redis.sock
getent group redis:
redis:x:121:www-data,git,gitlab-www,gitlab-redis,gitlab-psql
This is my gitlab.rb file
external_url 'https://gitlab.example.com'
# Web Server (Apache2)
nginx['enable'] = false
web_server['external_users'] = ['www-data']
gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
#PostgresQL
postgresql['enable'] = false
# Fill in the connection details for database.yml
gitlab_rails['db_encoding'] = 'utf8'
gitlab_rails['db_host'] = '/var/run/postgresql'
#gitlab_rails['db_port'] = '3306'
gitlab_rails['db_username'] = 'git'
gitlab_rails['db_password'] = ''
# For GitLab CI, you can use the same parameters:
gitlab_ci['db_encoding'] = 'utf8'
gitlab_ci['db_host'] = '/var/run/postgresql'
#gitlab_ci['db_port'] = '3306'
gitlab_ci['db_username'] = 'git'
gitlab_ci['db_password'] = ''
# Git Data
git_data_dir "/srv/git-data"
# Redis
redis['enable'] = false
gitlab_rails['redis_socket'] = '/var/run/redis/redis.sock'
The log files are getting huge real fast when gitlab cant reach the redis server, but I think these are the relevant bits:
/var/log/gitlab/unicorn/unicorn_stderr.log
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/redis-3.2.2/lib/redis/connection/ruby.rb:180:in `connect_nonblock': Permission denied - connect(2) for /var/run/redis/redis.sock (Errno::EACCES)
from /opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/redis-3.2.2/lib/redis/connection/ruby.rb:180:in `connect'
from /opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/redis-3.2.2/lib/redis/connection/ruby.rb:209:in `connect'
from /opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/redis-3.2.2/lib/redis/client.rb:323:in `establish_connection'
...
/var/log/gitlab/sidekiq/current
2016-01-23_17:34:24.14235 Permission denied - connect(2) for /var/run/redis/redis.sock
2016-01-23_17:34:24.14240 /opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/redis-3.2.2/lib/redis/connection/ruby.rb:180:in `connect_nonblock'
2016-01-23_17:34:24.14241 /opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/redis-3.2.2/lib/redis/connection/ruby.rb:180:in `connect'
2016-01-23_17:34:24.14242 /opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/redis-3.2.2/lib/redis/connection/ruby.rb:209:in `connect'
2016-01-23_17:34:24.14242 /opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/redis-3.2.2/lib/redis/client.rb:323:in `establish_connection'
2016-01-23_17:34:24.14243 /opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/redis-3.2.2/lib/redis/client.rb:94:in `block in connect'
...
Setting the permission of the redis socket to 777 fixes the issue but I very much prefer to just give the relevant gitlab user(s) permission. My main question is which user(s) need permission? However I also think this might be a bug because I found an old blog post that suggests it should be the git user here.
As a security measure against this risk we are changing the default settings for GitLab to connect to Redis via Unix domain sockets. This allows system administrators to limit Redis access to the git user using file/directory permissions.
Thanks.
Note: I originaly posted it over at https://gitlab.com/gitlab-org/gitlab-ce/issues/12659 ,but I realized this was probably an issue with omnibus.