Registry database migration logs are created unreadable due to restrictive umask 077

Summary

Registry database migration logs are created with overly restrictive permissions due to umask 077, making them unreadable by non-root processes (e.g., log collectors like Vector or Fluentd).

Steps to reproduce

Run a registry database migration:
```
gitlab-ctl registry-database migrate up
```
Inspect the created migration log file in the registry log directory.
Notice that the log file is owned by root and has restrictive permissions (0600).

Example code reference

File: files/gitlab-cookbooks/registry/resources/database_migrations.rb

umask 077
gitlab-ctl registry-database migrate up \
  #{'--skip-post-deployment' if skip_post_deployment} \
  2>& 1 | tee ${LOG_FILE}

Expected behavior

Migration logs should be readable by the registry user or group (e.g., account_helper.registry_group) so that log collection and monitoring tools can access them.

Actual behavior

Migration logs are created with 0600 permissions.
Owned by root.
Unreadable for the registry group and external log processors.

Impact

This prevents log forwarding/ingestion into external systems (e.g., Vector, Fluentd, ELK) unless the collectors are run as root.

Workaround

Manually adjust log permissions after migration, or disable log forwarding for these files (not ideal).

Possible fixes

Use a less restrictive umask (e.g., 027 or 037).
Or explicitly set file permissions after creation, ensuring group read access for the registry group (account_helper.registry_group).

Edited Sep 21, 2025 by Michael Kazakov