Registry system user should be able to open registry sv files
Problem
When using the registry system user to run migrations, the migration gets executed, but the migration command fails to call supervisor to restart the service:
root@78681e6a4094:/# sudo -u registry gitlab-ctl registry-database migrate up --skip-post-deployment
Running migrate up
Executing command:
/opt/gitlab/embedded/bin/registry database migrate up -s /var/opt/gitlab/registry/config.yml
OK: applied 0 pre-deployment migration(s), 0 post-deployment migration(s) and 0 background migration(s) in 0.054s
Starting service registry
warning: registry: unable to open supervise/ok: access deniedI believe this happens on self.start!.
I noticed that the service files are owned by root/root:
root@da9d2416205f:/# ls -la /opt/gitlab/sv/registry/supervise/
total 20
drwxr-xr-x 2 root root 4096 Oct 15 13:53 .
drwxr-xr-x 6 root root 4096 Oct 15 13:51 ..
prw------- 1 root root 0 Oct 15 13:51 control
-rw------- 1 root root 0 Oct 15 13:51 lock
prw------- 1 root root 0 Oct 15 13:51 ok
-rw-r--r-- 1 root root 5 Oct 15 13:53 pid
-rw-r--r-- 1 root root 4 Oct 15 13:53 stat
-rw-r--r-- 1 root root 20 Oct 15 13:53 statusFor test purposes, I was able to circumvent it by manually adding registry to the root group: usermod -a -G root registry
Then changing permissions of /opt/gitlab/sv/registry/supervise/ok file to 660: chmod 660 /opt/gitlab/sv/registry/supervise/ok.
Proposal
Use supervisor_group account_helper.registry_group to provide group write access to a registry group over the registry only sv files.
From the runit docs:
Is it possible to allow a user other than root to control a service
Answer: Yes, you simply need to adjust file system permissions for the ./supervise/ subdirectory in the service directory. E.g.: to allow the user burdon to control the service dhcp, change to the dhcp service directory, and do
# chmod 755 ./supervise
# chown burdon ./supervise/ok ./supervise/control ./supervise/statusThis works similarly with groups, of course.