Skip to content

8.12 + GitLab HA: reconfigure does not work if "/var/opt/gitlab/.ssh" is a symlink

Summary

I've a GitLab instance setup with HA (aka several GitLab servers sharing the same DB, the same data/repository stored in a NFS etc.)

The folder holding the users public SSH keys (/var/opt/gitlab/.ssh) is a symbolic link to a mounted NFS partition. Like this, the users SSH keys are shared by all the GitLab servers. It looks like this:

$ ls -la /var/opt/gitlab
...
lrwxrwxrwx  1 git          git          23 Sep  9  2014 .ssh -> /my/mounted/partition/with/gitlab/authorized_keys/
...

Until latest GitLab CE 8.11.x, it was working like a charm.

Since GitLab CE 8.12.x, it does not work anymore, the gitlab-ctl reconfigure fail because of the linux rights (777) of the symbolic link are to high.

As by default a symbolic link has linux rights 777, the stat command (see output bellow) says it's too much rights and the reconfigure fails. But the target directory of this symbolic link has the good rights, 700.

Steps to reproduce

  • Setup a GitLab instance with GitLab 8.12
  • Delete folder /var/opt/gitlab/.ssh/
  • Create a folder somewhere (it will represent the mounted partition from a NFS), /foo/bar/
  • In /var/opt/gitlab, make a symlink named .ssh targeting the previously created/mounted directory: ln -s /foo/bar .ssh
  • Run gitlab-ctl reconfigure

Expected behavior

gitlab-ctl reconfigure does not fail if /var/opt/gitlab/.sshis a symlink

Actual behavior

gitlab-ctl reconfigure fails if /var/opt/gitlab/.sshis a symlink

Relevant logs and/or screenshots

Error during reconfigure in 8.12:

Expected process to exit with [0], but received '1'
 ---- Begin output of test -d "/var/opt/gitlab/.ssh" -a "$(stat --printf='%U:%G %04a' /var/opt/gitlab/.ssh)" = 'git:git 0700' ---- 
STDOUT: 
STDERR: 
---- End output of test -d "/var/opt/gitlab/.ssh" -a "$(stat --printf='%U:%G %04a' /var/opt/gitlab/.ssh)" = 'git:git 0700' ----
Ran test -d "/var/opt/gitlab/.ssh" -a "$(stat --printf='%U:%G %04a' /var/opt/gitlab/.ssh)" = 'git:git 0700' returned 1

Possible fixes

During the gitlab-ctl reconfigure, why not checking the target directory rights rather than the symlink one ? By changing the executed command:

stat --printf='%U:%G %04a' /var/opt/gitlab/.ssh

by:

stat --printf='%U:%G %04a' $(readlink -f /var/opt/gitlab/.ssh)

Like this you will check the rights of the targeted directory, and not the symlink ones. And it still works even if the folder .ssh is not a symlink