Fix registry permission to restart service if using sudo -u registry

João Alexandre Cunharequested to merge
fix-registry-commands-permission-for-non-docker into master

What does this MR do?

Fix registry permission to restart service

When we run the registry commnads with the registry user and the current directory is not accessible by runit, it fails with:

fatal: unable to open current directory: access denied

Changelog: fixed

This problem only happens when using sudo -u registry as a prefix to the registry migration command.

Proposal

Change the directory as soon as we start to execute the command to a Dir where the registry user has access to: /var/opt/gitlab/registry. This will only happen for that process and will not move the user from its original location.

Now when system() spawns the child process, it inherits /var/opt/gitlab/registry as the working directory - which the registry user does have permission to access!

The key insight: when you use sudo -u to switch users, the new user process inherits the current directory, but may not have permission to access it. You needed to ensure the working directory was somewhere the registry user could actually read.

For a deeper explanation of the problem, bit by bit, read the issue description: Registry migration fails to restart service whe... (#9423).

Related issues

Closes Registry migration fails to restart service whe... (#9423)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • Latest Merge Result pipeline is green.
  • When ready for review, MR is labeled workflowready for review per the Distribution MR workflow.

For GitLab team members

If you don't have access to this, the reviewer should trigger these jobs for you during the review process.

  • The manual Trigger:ee-package jobs have a green pipeline running against latest commit.
  • If config/software or config/patches directories are changed, make sure the build-package-on-all-os job within the Trigger:ee-package downstream pipeline succeeded.
  • If you are changing anything SSL related, then the Trigger:package:fips manual job within the Trigger:ee-package downstream pipeline must succeed.
  • If CI configuration is changed, the branch must be pushed to dev.gitlab.org to confirm regular branch builds aren't broken.

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation created/updated.
  • Tests added.
  • Integration tests added to GitLab QA.
  • Equivalent MR/issue for the GitLab Chart opened.
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by João Alexandre Cunha

Merge request reports