Skip to content

Permissions issue when creating backups

I am trying to run a backup via gitlab-rake however am running into permissions issues in the process.

My backup directory has been changed from the default directory to /home/admin/backups/gitlab/.
I have tried changing permissions on both the backups and gitlab directory, even to 777 with no luck. I have turned off SELinux. I have chown/chgrp'd both folders to: admin, root, git, gitlab-www, gitlab-redis, gitlab-psql
No luck with any of them.

Also, as you can see in my second snippet, it issues the error not on the gitlab directory, but the backups directory. It made me think that maybe it's trying to recreate the gitlab directory but running into issues because it already exists, nope. I deleted the directory and still had the issue.

Everything else runs smoothely, have not had an issue otherwise. GitLab version is 7.8.2. It is omnibus.

Output of gitlab-rake gitlab:backup:create:

[admin@Backup01 backups]$ gitlab-rake gitlab:backup:create
chpst: fatal: unable to setgroups: permission denied

Output of sudo gitlab-rake gitlab:backup:create --trace:

[admin@Backup01 backups]$ sudo gitlab-rake gitlab:backup:create --trace
** Invoke gitlab:backup:create (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute gitlab:backup:create
** Invoke gitlab:backup:db:create (first_time)
** Invoke environment 
** Execute gitlab:backup:db:create
Dumping database ... 
rake aborted!
Errno::EACCES: Permission denied @ dir_s_mkdir - /home/admin/backups
/opt/gitlab/embedded/lib/ruby/2.1.0/fileutils.rb:250:in `mkdir'
/opt/gitlab/embedded/lib/ruby/2.1.0/fileutils.rb:250:in `fu_mkdir'
/opt/gitlab/embedded/lib/ruby/2.1.0/fileutils.rb:224:in `block (2 levels) in mkdir_p'
/opt/gitlab/embedded/lib/ruby/2.1.0/fileutils.rb:222:in `reverse_each'
/opt/gitlab/embedded/lib/ruby/2.1.0/fileutils.rb:222:in `block in mkdir_p'
/opt/gitlab/embedded/lib/ruby/2.1.0/fileutils.rb:208:in `each'
/opt/gitlab/embedded/lib/ruby/2.1.0/fileutils.rb:208:in `mkdir_p'
/opt/gitlab/embedded/service/gitlab-rails/lib/backup/database.rb:10:in `initialize'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/backup.rake:55:in `new'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/backup.rake:55:in `block (4 levels) in <top (required)>'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:240:in `call'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:240:in `block in execute'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:235:in `each'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:235:in `execute'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:179:in `block in invoke_with_call_chain'
/opt/gitlab/embedded/lib/ruby/2.1.0/monitor.rb:211:in `mon_synchronize'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:172:in `invoke_with_call_chain'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:165:in `invoke'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/backup.rake:11:in `block (3 levels) in <top (required)>'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:240:in `call'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:240:in `block in execute'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:235:in `each'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:235:in `execute'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:179:in `block in invoke_with_call_chain'
/opt/gitlab/embedded/lib/ruby/2.1.0/monitor.rb:211:in `mon_synchronize'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:172:in `invoke_with_call_chain'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:165:in `invoke'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:150:in `invoke_task'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:106:in `block (2 levels) in top_level'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:106:in `each'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:106:in `block in top_level'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:115:in `run_with_threads'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:100:in `top_level'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:78:in `block in run'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:176:in `standard_exception_handling'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:75:in `run'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/bin/rake:33:in `<top (required)>'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/bin/rake:23:in `load'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/bin/rake:23:in `<main>'
Tasks: TOP => gitlab:backup:db:create

If I run off the backup as root user, the output is the same as having sudo'd above. Tracing the command without sudo from admin does not change output.

File permissions as they currently stand, (as they were for the above commands):

[admin@Backup01 ~]$ ls -RZ .
.:
drwx------. admin admin unconfined_u:object_r:user_home_t:s0 backups

./backups:
drwxrwxr-x. admin admin unconfined_u:object_r:user_home_t:s0 gitlab

./backups/gitlab:

Here is my gitlab check:

[admin@Backup01 ~]$ sudo gitlab-rake gitlab:check
Checking Environment ...

Git configured for git user? ... yes

Checking Environment ... Finished

Checking GitLab Shell ...

GitLab Shell version >= 2.5.4 ? ... OK (2.5.4)
Repo base directory exists? ... yes
Repo base directory is a symlink? ... no
Repo base owned by git:git? ... yes
Repo base access is drwxrws---? ... yes
Satellites access is drwxr-x---? ... yes
hooks directories in repos are links: ... 
Shane Thompson / server-stats ... ok
Shane Thompson / switch-manager ... ok
Shane Thompson / config-files ... ok
Shane Thompson / dhcp-leases ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Check directories and files: 
	/var/opt/gitlab/git-data/repositories: OK
	/var/opt/gitlab/.ssh/authorized_keys: OK
Test redis-cli executable: redis-cli 2.8.2
Send ping to redis server: PONG
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Checking LDAP ...

LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab ...

Database config exists? ... yes
Database is SQLite ... no
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ... 
Shane Thompson / server-stats ... yes
Shane Thompson / switch-manager ... yes
Shane Thompson / config-files ... yes
Shane Thompson / dhcp-leases ... yes
Projects have satellites? ... 
Shane Thompson / server-stats ... yes
Shane Thompson / switch-manager ... yes
Shane Thompson / config-files ... yes
Shane Thompson / dhcp-leases ... yes
Redis version >= 2.0.0? ... yes
Ruby version >= 2.0.0 ? ... yes (2.1.5)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 1.7.10 ? ... yes (2.0.5)

Checking GitLab ... Finished

One more thing that may be good to know: I couldn't run gitlab-rake as non-root without sudo - so I did modify the permissions of a gitlab directory. This has not seemed to change the issue.

[admin@Backup01 backups]$ sudo stat /opt/gitlab/etc/gitlab-rails/
  File: ‘/opt/gitlab/etc/gitlab-rails/’
  Size: 38        	Blocks: 0          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 135828743   Links: 3
Access: (0700/drwx------)  Uid: (  996/     git)   Gid: (    0/    root)
Context: unconfined_u:object_r:usr_t:s0
Access: 2015-06-16 08:05:11.501654164 +0800
Modify: 2015-03-06 10:23:13.953103379 +0800
Change: 2015-03-06 10:23:13.953103379 +0800
 Birth: -
[admin@Backup01 backups]$ sudo chmod 755 /opt/gitlab/etc/gitlab-rails/