Missing permissions for runit collector

Summary

The permissions applied to runit supervise folder are insufficient for node exporter to read the status files.

Steps to reproduce

  • On a new or an existing GitLab instance on Linux, get runit metrics with curl -s http://localhost:9100/metrics | grep node_service_state
  • The only service is PostgreSQL

What is the current bug behavior?

By default, node exporter is correctly configured. The runit collector (which is deprecated!) is enabled (--collector-runit) and configured (--collector.runit.servicedir=/opt/gitlab/sv).

However, the Linux user gitlab-prometheus does not have enough permissions to read the status file in the supervise folder of each service.

When we check the permissions of all the runit supervise folders, we can see that only one service has correct permissions:

# ls -l /opt/gitlab/sv/*/ | grep supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwx------. 2 root root  70 May  5 17:55 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwx------. 2 root root  80 Aug  1 11:28 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwx------. 2 root root  80 Aug  1 11:30 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwxr-xr-x. 2 root root  80 Jul 23 16:21 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise
drwx------. 2 root root  80 Jul 23 16:21 supervise
drwx------. 2 root root  80 Jul 27 14:00 supervise
drwx------. 2 root root  80 Jul 23 16:28 supervise

I can fix this issue by running chmod 755 /opt/gitlab/sv/*/supervise. But this is not a sustainable solution.

What is the expected correct behavior?

We should have all runit service in the Prometheus metrics. All supervised folders should have 755 permissions.

Relevant logs

We can see the permission errors in the logs by enabling debug log for node exporter.

node_exporter['flags'] = {
  'log.level' => 'debug'
}

Then, in /var/log/gitlab/node-exporter/current

Relevant logs 
2025-08-01_09:30:54.46854 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=alertmanager err="open /opt/gitlab/sv/alertmanager/supervise/status: permission denied"
2025-08-01_09:30:54.46858 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=crond err="open /opt/gitlab/sv/crond/supervise/status: permission denied"
2025-08-01_09:30:54.46862 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=gitaly err="open /opt/gitlab/sv/gitaly/supervise/status: permission denied"
2025-08-01_09:30:54.46866 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=gitlab-exporter err="open /opt/gitlab/sv/gitlab-exporter/supervise/status: permission denied"
2025-08-01_09:30:54.46868 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=gitlab-kas err="open /opt/gitlab/sv/gitlab-kas/supervise/status: permission denied"
2025-08-01_09:30:54.46873 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=gitlab-sshd err="open /opt/gitlab/sv/gitlab-sshd/supervise/status: permission denied"
2025-08-01_09:30:54.46876 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=gitlab-workhorse err="open /opt/gitlab/sv/gitlab-workhorse/supervise/status: permission denied"
2025-08-01_09:30:54.46880 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=logrotate err="open /opt/gitlab/sv/logrotate/supervise/status: permission denied"
2025-08-01_09:30:54.46883 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=nginx err="open /opt/gitlab/sv/nginx/supervise/status: permission denied"
2025-08-01_09:30:54.46886 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=node-exporter err="open /opt/gitlab/sv/node-exporter/supervise/status: permission denied"
2025-08-01_09:30:54.46889 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=postgres-exporter err="open /opt/gitlab/sv/postgres-exporter/supervise/status: permission denied"
2025-08-01_09:30:54.46892 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:89 msg=duration collector=runit service=postgresql status=1 pid=1270 duration_seconds=760149
2025-08-01_09:30:54.46895 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=prometheus err="open /opt/gitlab/sv/prometheus/supervise/status: permission denied"
2025-08-01_09:30:54.46899 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=puma err="open /opt/gitlab/sv/puma/supervise/status: permission denied"
2025-08-01_09:30:54.46901 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=redis err="open /opt/gitlab/sv/redis/supervise/status: permission denied"
2025-08-01_09:30:54.46905 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=redis-exporter err="open /opt/gitlab/sv/redis-exporter/supervise/status: permission denied"
2025-08-01_09:30:54.46908 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=registry err="open /opt/gitlab/sv/registry/supervise/status: permission denied"
2025-08-01_09:30:54.46911 time=2025-08-01T09:30:54.468Z level=DEBUG source=runit.go:85 msg="Couldn't get status" collector=runit service=sidekiq err="open /opt/gitlab/sv/sidekiq/supervise/status: permission denied"

Details of package version

Provide the package version installation details 
gitlab-ee-18.2.1-ee.0.el9.x86_64

Environment details

  • Operating System: AlmaLinux OS 9.6
  • Installation Target, remove incorrect values:
    • VM: VMware
  • Installation Type, remove incorrect values:
    • New Installation
    • Upgrade from version any
  • Is there any other software running on the machine: No
  • Is this a single or multiple node installation?: Single node
  • Resources
    • CPU: 4 vCPU
    • Memory total: 10 GB

Configuration details

Provide the relevant sections of `/etc/gitlab/gitlab.rb` 
The problems occur with default or custom configuration file.