GitLab基础：Permission denied的对应记录

这篇文章记录一下SELinux对于GitLab的一个影响示例。

现象

使用如下docker-compose.yml启动GitLab服务

[root@host131 gitlab]# cat docker-compose.yml 
version: '2'    
services:
  # Version Control service: Gitlab
  gitlab:
    image: gitlab/gitlab-ce:12.10.5-ce.0
    ports:
      - "32001:80"
      - "30022:22"
      - "30443:443"
    volumes:
      - ./log/:/var/log/gitlab
      - ./data/:/var/opt/gitlab
      - ./conf/:/etc/gitlab
    restart: "no"
[root@host131 gitlab]# 

启动时出现如下问题

[root@host131 gitlab]# docker-compose up
Starting gitlab_gitlab_1 ... done
Attaching to gitlab_gitlab_1
gitlab_1  | Thank you for using GitLab Docker Image!
gitlab_1  | Current version: gitlab-ce=12.10.5-ce.0
gitlab_1  | 
gitlab_1  | Configure GitLab for your system by editing /etc/gitlab/gitlab.rb file
gitlab_1  | And restart this container to reload settings.
gitlab_1  | To do it use docker exec:
gitlab_1  | 
gitlab_1  |   docker exec -it gitlab vim /etc/gitlab/gitlab.rb
gitlab_1  |   docker restart gitlab
gitlab_1  | 
gitlab_1  | For a comprehensive list of configuration options please see the Omnibus GitLab readme
gitlab_1  | https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md
gitlab_1  | 
gitlab_1  | If this container fails to start due to permission problems try to fix it by executing:
gitlab_1  | 
gitlab_1  |   docker exec -it gitlab update-permissions
gitlab_1  |   docker restart gitlab
gitlab_1  | 
gitlab_1  | Cleaning stale PIDs & sockets
gitlab_1  | Installing gitlab.rb config...
gitlab_1  | cp: cannot create regular file '/etc/gitlab/gitlab.rb': Permission denied
gitlab_gitlab_1 exited with code 1
[root@host131 gitlab]# 

原因

[root@host131 gitlab]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[root@host131 gitlab]# 

对应

• 修改SELINUX

[root@host131 gitlab]# sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
[root@host131 gitlab]# 
[root@host131 gitlab]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          disabled
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[root@host131 gitlab]# 

• 重启使SELINUX修改生效

[root@host131 gitlab]# reboot
Shared connection to 127.0.0.1 closed.
liumiaocn:gitlab liumiao$ 

• 重启后状态再确认

[root@host131 gitlab]# sestatus
SELinux status:                 disabled
[root@host131 gitlab]# 

注：SELINUX的相关介绍可参看 https://blog.csdn.net/liumiaocn/article/details/103294064/

结果确认

• 启动GitLab服务

[root@host131 gitlab]# docker-compose up -d
Creating network "gitlab_default" with the default driver
Creating gitlab_gitlab_1 ... done
[root@host131 gitlab]# 

• 确认GitLab服务状态

[root@host131 gitlab]# docker-compose ps
     Name             Command               State                                          Ports                                
--------------------------------------------------------------------------------------------------------------------------------
gitlab_gitlab_1   /assets/wrapper   Up (health: starting)   0.0.0.0:30022->22/tcp, 0.0.0.0:30443->443/tcp, 0.0.0.0:32001->80/tcp
[root@host131 gitlab]# 

可以看到已经进入到starting的阶段了，不再是执行后就直接退出了

注：本文记录了SELINUX对容器启动的影响的示例，对应的方法是直接关闭SELINUX，并没有给出再启动SELINUX的情况下如何设定。