gitlab-fix-permissions

This Repositories tries to address the BREAKING CHANGES occurring after Upgrading from Gitlab 16.x to 17.0.

Clone Repository:

git clone https://github.com/luckylinux/gitlab-fix-permissions.git

Change Folder:

cd gitlab-fix-permissions

Copy Example Configuration:

cp config.sh.example config.sh

Customize Configuration according to your Setup:

nano config.sh

I am storing the git-data folder on NFS, mounted on /mnt/git.

The relevant Setting in /etc/gitlab/gitlab.rb is:

git_data_dirs({
  "default" => {
    "path" => "/mnt/git"
   }
})

Both Client (Gitlab Omnibus Instance) and Server (NAS) are Running Debian Bookworm 12 AMD64.

I am running NFS Version 3 over Wireguard VPN in my LAN, as I didn't manage to setup Kerberos Authentication yet and NFSv4 ACLs canb/might be tricky.

Wireguard ensures proper Authentication and Data Encryption.

Client mount options:

10.1.1.1:/export/git                                 /mnt/git                      nfs             rw,user=gitlab-server,auto,nofail,x-systemd.automount,nfsvers=3,proto=tcp          0       0

Note that I am running NFSv3 in tcp mode in order to ensure Data Integrity, since Wireguard is running over UDP.

Server /etc/exportfs:

/export/git			10.1.1.2/32(rw,no_root_squash,nohide,sync,no_subtree_check,fsid=100)

Server /etc/nfs.conf - make sure that manage-gids is DISABLED (commented) otherwise Secondary Groups will NOT work correctly:

[exportd]
#manage-gids=n
[mountd]
#manage-gids=n

Server /etc/defaults/nfs-kernel-server - make sure that manage-gids is DISABLED (commented) otherwise Secondary Groups will NOT work correctly:

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, 
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
#RPCMOUNTDOPTS="--manage-gids"
RPCMOUNTDOPTS=""

Restart NFS Server / Reboot NAS:

exportfs -rv
exportfs -a
systemctl restart nfs-server
systemctl restart nfs-kernel-server

This Section describe the Changes that are required in /etc/gitlab/gitlab.rc.

The default git User Name and Group Name can create conflicts on the NAS/NFS, since it doesn't map to the correct uid / gid.

In this case, both the Client (Gitlab Omnibus) and Server (NAS) have:

• User name: gitlab-server
• User id (uid): 2505
• Group name: gitlab-server
• Group id (gid): 2505

The Configuration in /etc/gitlab/gitlab.rb is therefore as follows:

user['username'] = "gitlab-server"
user['group'] = "gitlab-server"
user['uid'] = 2505
user['gid'] = 2505

##! The shell for the git user
user['shell'] = "/bin/bash"

##! The home directory for the git user
user['home'] = "/var/opt/gitlab"

The /var/opt/gitlab line might NOT be required, since it's the default. I prefer to usee bash when having to troubleshoot, instead of /bin/sh. That is per-se however not required.

This is to prevent gitlab from setting wrong ACLs, Mask (when doing chmod this can result in mask: ---), etc.

The Configuration in /etc/gitlab/gitlab.rb is therefore as follows:

manage_accounts['enable'] = false
manage_storage_directories['enable'] = false
manage_storage_directories['manage_etc'] = false

Run

./fix_permissions.sh

In my case puma and gitaly:

gitlab-ctl status

Which File/Folder Permissions is preventing puma from working correctly ?

gitlab-ctl tail puma

Which File/Folder Permissions is preventing gitaly from working correctly ?

gitlab-ctl tail gitaly