Gerrit not starting up when following the production example in docker-gerrit

[Claudio DeSouza]

Hello everyone,

I have been trying for a few days already to get gerrit running, as suggested in the readme of the docker-gerrit project (https://gerrit.googlesource.com/docker-gerrit), under the section Using Gerrit In Production, but I keep getting permission errors over and over.

Here's the scenario. I have an ubuntu machine with a root and another user with sudo access.

When I try to run gerrit as root, I get the following error.

gerrit_postgres_1 is up-to-date
Creating gerrit_ldap_1 ... done
Creating gerrit_gerrit_1 ... done
Attaching to gerrit_gerrit_1
gerrit_1      | fatal: /var/gerrit/etc/mail
gerrit_1      | fatal: Cannot make directory /var/gerrit/etc/mail
gerrit_gerrit_1 exited with code 128

However, when I try to run it as the normal user, I get the following error.

gerrit_ldap_1 is up-to-date
gerrit_postgres_1 is up-to-date
Starting gerrit_gerrit_1 ... done
Attaching to gerrit_gerrit_1
gerrit_1      | Exception in thread "main" java.io.IOException: Permission denied
gerrit_1      |     at java.io.UnixFileSystem.createFileExclusively(Native Method)
gerrit_1      |     at java.io.File.createNewFile(File.java:1012)
gerrit_1      |     at org.eclipse.jgit.util.FS_POSIX.createNewFileAtomic(FS_POSIX.java:434)
gerrit_1      |     at org.eclipse.jgit.internal.storage.file.LockFile.lock(LockFile.java:179)
gerrit_1      |     at org.eclipse.jgit.storage.file.FileBasedConfig.save(FileBasedConfig.java:227)
gerrit_1      |     at com.google.gerrit.server.index.GerritIndexStatus.save(GerritIndexStatus.java:48)
gerrit_1      |     at com.google.gerrit.server.index.IndexUtils.setReady(IndexUtils.java:43)
gerrit_1      |     at com.google.gerrit.pgm.init.InitIndex.run(InitIndex.java:71)
gerrit_1      |     at com.google.gerrit.pgm.init.SitePathInitializer.run(SitePathInitializer.java:93)
gerrit_1      |     at com.google.gerrit.pgm.init.BaseInit.run(BaseInit.java:138)
gerrit_1      |     at com.google.gerrit.pgm.util.AbstractProgram.main(AbstractProgram.java:61)
gerrit_1      |     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
gerrit_1      |     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
gerrit_1      |     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
gerrit_1      |     at java.lang.reflect.Method.invoke(Method.java:498)
gerrit_1      |     at com.google.gerrit.launcher.GerritLauncher.invokeProgram(GerritLauncher.java:223)
gerrit_1      |     at com.google.gerrit.launcher.GerritLauncher.mainImpl(GerritLauncher.java:119)
gerrit_1      |     at com.google.gerrit.launcher.GerritLauncher.main(GerritLauncher.java:63)
gerrit_1      |     at Main.main(Main.java:24)
gerrit_gerrit_1 exited with code 1

I've tried to change the permissions of /external multiple times to no avail. Do you think you can provided me a few pointer in this regard?

Cheers.

[Luca Milanesio]

On 18 Oct 2018, at 16:41, Claudio DeSouza <claudi...@gmail.com> wrote:

Hello everyone,

I have been trying for a few days already to get gerrit running, as suggested in the readme of the docker-gerrit project (https://gerrit.googlesource.com/docker-gerrit), under the section Using Gerrit In Production, but I keep getting permission errors over and over.

Here's the scenario. I have an ubuntu machine with a root and another user with sudo access.

When I try to run gerrit as root, I get the following error.

gerrit_postgres_1 is up-to-date
Creating gerrit_ldap_1 ... done
Creating gerrit_gerrit_1 ... done
Attaching to gerrit_gerrit_1
gerrit_1      | fatal: /var/gerrit/etc/mail
gerrit_1      | fatal: Cannot make directory /var/gerrit/etc/mail
gerrit_gerrit_1 exited with code 128

I believe the user that is running gerrit (gerrit) is not defined or not authorised on the physical host to read/write to /etc.

Can you share your docker-compose.yaml?

This is more a docker issue rather than a Gerrit one.

Can you check the user's permissions as previously mentioned?

Cheers.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Claudio DeSouza]

I'm using the docker-compose.yaml shown as an example in the readme file of that repository. 

version: '3'

services:
  gerrit:
    image: gerritcodereview/gerrit
    ports:
      - "29418:29418"
      - "80:8080"
    links:
      - postgres
    depends_on:
      - postgres
      - ldap
    volumes:
     - /external/gerrit/etc:/var/gerrit/etc
     - /external/gerrit/git:/var/gerrit/git
     - /external/gerrit/index:/var/gerrit/index
     - /external/gerrit/cache:/var/gerrit/cache
#    entrypoint: java -jar /var/gerrit/bin/gerrit.war init -d /var/gerrit

  postgres:
    image: postgres:9.6
    environment:
      - POSTGRES_USER=gerrit
      - POSTGRES_PASSWORD=secret
      - POSTGRES_DB=reviewdb
    volumes:
      - /external/gerrit/postgres:/var/lib/postgresql/data

  ldap:
    image: osixia/openldap
    ports:
      - "389:389"
      - "636:636"
    environment:
      - LDAP_ADMIN_PASSWORD=secret
    volumes:
      - /external/gerrit/ldap/var:/var/lib/ldap
      - /external/gerrit/ldap/etc:/etc/ldap/slapd.d

  ldap-admin:
    image: osixia/phpldapadmin
    ports:
      - "6443:443"
    environment:
      - PHPLDAPADMIN_LDAP_HOSTS=ldap

The user I have is a regular user. I created a path called /external, and then a chowned it to the user, and only then I ran docker-composer. I've noticed that inside /external, files are still created with the root user. However, as I've mentioned before, it also fails when I run it with sudo. Maybe I should run a s root? I don't know.

Cheers,

Claudio DeSouza

[Luca Milanesio]

Gotcha, you leave docker creating them and possibly it creates with its own service identity (root).

Would be best if you create them upfront and make sure they've got the correct ownership / permission.

However, as I've mentioned before, it also fails when I run it with sudo. Maybe I should run a s root? I don't know.

Cheers,

Claudio DeSouza

[Claudio DeSouza]

Right... I admit I'm not that familiar with docker. Having said that, I just want to set up gerrit for our workspace using docker. Is there any other resource that can provide guidance on how to do that? I've reduced the whole thing to only gerrit, and it still fails:

docker-compose.yaml

version: '3'

services:

  gerrit:

    image: gerritcodereview/gerrit

    ports:

      - "29418:29418"

      - "80:8080"

    volumes:

     - /home/admin/external/gerrit/etc:/var/gerrit/etc

     - /home/admin/external/gerrit/git:/var/gerrit/git

     - /home/admin/external/gerrit/index:/var/gerrit/index

     - /home/admin/external/gerrit/cache:/var/gerrit/cache

    entrypoint: java -jar /var/gerrit/bin/gerrit.war init -d /var/gerrit

But I'm still getting this:

Creating network "admin_default" with the default driver

Creating admin_gerrit_1 ... done

Attaching to admin_gerrit_1

gerrit_1  | [2018-10-19 15:38:56,476] [main] INFO  com.google.gerrit.server.config.GerritServerConfigProvider : No /var/gerrit/etc/gerrit.config; assuming defaults

gerrit_1  | fatal: /var/gerrit/etc/mail

gerrit_1  | fatal: Cannot make directory /var/gerrit/etc/mail

I've looked into the paths created inside home/admin/external/, and they are all being created as root. So, I'm not sure how to properly run it as the actual user I have (admin). I even got to set a user entry, to no avail.

[Claudio DeSouza]

I've now managed to get the simple case above to work by manually creating the folder mail and sudo chown admin:admin -R. So... I think I just need some direction in how to sort this out, so this process is not required to be carried out manually.

Cheers.

[trevor...@wandisco.com]

This isnt really a gerrit issue and is down to user and group isolation in docker.

Ok so by default docker will be running as a user say root in your case. The user id may be 5 in the container. Now beware user ids in a container may not and usually wont line up with users outside of the container so root uid on the host may be 15 not 5. So u actually get userid 5s permissions instead of what u expected which was root.
So u often find in the real production environments the hosts have users specifically to run the containers as with mappings.

E.g. say docker-root and docker-user which have been setup on the host before hand. u can then map the user or group ids to the docker container. So it knows to run root in the container with and id thst matches the host user.
You can then limit the root user in the container to less than root on the host which is very useful for grouping file system access etc to just folders that it needs to access and not your whole host which it could access if everything in a container could run as real root.

Here are 2 very important articles to read on the subject.

https://medium.com/@mccode/understanding-how-uid-and-gid-work-in-docker-containers-c37a01d01cf

https://docs.docker.com/engine/security/userns-remap/

I hope this helps your understanding. You dont have this issues with docker volumes as the folders are created and owned by the container user not the hosts.

--


* <http://wandisco.com>*

**The LIVE DATA Company
*Find out more 
*wandisco.com <http://wandisco.com/>*




<https://www.wandisco.com/welcome-live-data-world-video>
*


THIS MESSAGE
AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY AND MAY BE PRIVILEGED

If
this message was misdirected, WANdisco, Inc. and its subsidiaries,
("WANdisco") does not waive any confidentiality or privilege. If you are
not the intended recipient, please notify us immediately and destroy the
message without disclosing its contents to anyone. Any distribution, use or
copying of this email or the information it contains by other than an
intended recipient is unauthorized. The views and opinions expressed in
this email message are the author's own and may not reflect the views and
opinions of WANdisco, unless the author is authorized by WANdisco to
express such views or opinions on its behalf. All email sent to or from
this address is subject to electronic storage and review by WANdisco.
Although WANdisco operates anti-virus programs, it does not accept
responsibility for any damage whatsoever caused by viruses being passed.

[Claudio DeSouza]

Thanks Trevor. That's actually really helpful. I eventually managed to get it working.

I'm quite inexperienced at using containers, and I was surprised that the instructions wouldn't work with a newly installed linux machine. I have spent around 10 hours on this, and I was finally able to crack on what was going on. These you've submitted are useful though, because I was still using some workarounds to get gerrit/etc/mail path created.

Cheers

Claudio DeSouza

[Nagoor Saheb]

Hi Claudio DeSouza,

While I am trying to setup gerrit using Docker, I am seeing the same problem and can you please describe how you have fixed the issue and made it work well.

gerrit_1      | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations

gerrit_1      | WARNING: All illegal access operations will be denied in a future release

gerrit_1      | fatal: /var/gerrit/etc/mail

gerrit_1      | fatal: Cannot make directory /var/gerrit/etc/mail

production_gerrit_1 exited with code 128

Thanks,

Nagoor Inaganti

[claudi...@gmail.com]

Hi,

It took me a while to see your question so I hope it is not too late. To solve this issue recently, I had to add root as the user to the docker-composer file, as in:

  gerrit:

    user: root

This also means that gerrit.conf you set container.user as root as well.

[container]

  user = root

I hope this helps.

Claudio.