【问题标题】:What permissions does nginx need for the Gitlab-workhorse socket?nginx 对 Gitlab-workhorse 套接字需要什么权限?
【发布时间】:2016-05-21 13:16:46
【问题描述】:

我整天都在努力解决这个问题。我正在使用现有的 nginx 安装在 Ubuntu 14.04 上运行 GitLab 的综合安装。我可以登录、创建项目、问题等,但我不能从外部(不是通过 web gui)向项目推送/拉取、克隆或任何东西。一个问题...我在这台服务器上运行 Plesk 12.5。以下是一些输出:

nginx报错:

2016/02/10 16:00:50 [crit] 24866#0: *53 connect() to unix://var/opt/gitlab/gitlab-workhorse/socket 
failed (13: Permission denied) while connecting to upstream, client: XXX.XXX.X.X, 
server: git.example.com, 
request: "GET /namespace/project-name.git/info/refs?service=git-upload-pack HTTP/1.1", 
upstream: "http://unix://var/opt/gitlab/gitlab-workhorse/socket:/namespace/project-name.git/info/refs?service=git-upload-pack", host: "git.example.com"

主力套接字的权限:

srwxrwxrwx 1 git git 0 Feb 2 18:40 socket

我尝试将所有者更改为 nginx (www-data) 并将组更改为 gitlab-www 但没有运气。我没有使用任何不同的目录....只是不知道从这里去哪里。我已经快要开始运行了,但感觉还很远!!

Gitlab:check(是的,IMAP 设置有错误,但我认为这不相关???)

Checking GitLab Shell ...

GitLab Shell version >= 2.6.10 ? ... OK (2.6.10)
Repo base directory exists? ... yes
Repo base directory is a symlink? ... no
Repo base owned by git:git? ... yes
Repo base access is drwxrws---? ... yes
hooks directories in repos are links: ...
[... project checks all ok ...]
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Check directories and files:
        /var/opt/gitlab/git-data/repositories: OK
        /var/opt/gitlab/.ssh/authorized_keys: OK
Test redis-cli executable: redis-cli 2.8.21
Send ping to redis server: PONG
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Checking Reply by email ...

Address formatted correctly? ... yes
IMAP server credentials are correct? ... no
  Try fixing it:
  Check that the information in config/gitlab.yml is correct
  For more information see:
  doc/incoming_email/README.md
  Please fix the error above and rerun the checks.
Init.d configured correctly? ... skipped (omnibus-gitlab has no init script)
MailRoom running? ... can't check because of previous errors

Checking Reply by email ... Finished

Checking LDAP ...

LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab ...

Git configured with autocrlf=input? ... yes
Database config exists? ... yes
Database is SQLite ... no
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ...
[... project checks all yes ...]
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.1.8)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 1.7.10 ? ... yes (2.6.2)
Active users: 4

Checking GitLab ... Finished

这是虚拟主机的 nginx 配置:

location /uploads/ {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

    proxy_pass https://gitlab;
}

location @gitlab {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

    #proxy_pass http://gitlab;

    # Returns 502 error if not changed to localhost
    proxy_pass http://localhost:8080;
}

location ~ ^/[\w\.-]+/[\w\.-]+/gitlab-lfs/objects {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
}

location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
}

location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
}

location ~ ^/api/v3/projects/.*/repository/archive {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
}

location ~ ^/[\w\.-]+/[\w\.-]+/builds/download {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
}

location ~ /ci/api/v1/builds/[0-9]+/artifacts {
    client_max_body_size 0;
    error_page 418 = @gitlab-workhorse;
    return 418;
}

location @gitlab-workhorse {
    client_max_body_size 0;
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip off;

    #   proxy_read_timeout      300;
    #   proxy_connect_timeout   300;
    #   proxy_redirect          off;

    proxy_buffering off;

    # The following settings only work with NGINX 1.7.11 or newer
    #
    # # Pass chunked request bodies to gitlab-workhorse as-is
    #proxy_request_buffering off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_pass http://gitlab-workhorse;

}

location ~ ^/(assets)/ {
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    gzip_static on; # to serve pre-gzipped version
    expires max;
    add_header Cache-Control public;
}

location ~ / {
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    try_files $uri $uri/index.html $uri.html @gitlab;
}

error_page 502 /502.html;

最后,这里是 vhost 的服务器块级别的配置:

upstream gitlab {
  server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket fail_timeout=0;
}

upstream gitlab-workhorse {
  server unix://var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}

查看https://github.com/gitlabhq/omnibus-gitlab/blob/master/doc/settings/nginx.md 的文档我看到了这个注释,但它没有指定权限应该是什么:

*注意:确保 webserver 用户对外部 web-server 使用的所有目录具有正确的权限,否则在读取上游错误时会收到 failed (XX: Permission denied)。

任何指导将不胜感激。

【问题讨论】:

  • 我投票决定将此问题作为题外话结束,因为它应该发布在askubuntu.com
  • 剩下的标签怎么跑题了?我总是对此感到迷茫,如果一个标签不匹配,那么它就跑题了?它处理几个不同的堆栈组件,这些组件适用于几个不同的堆栈组件。
  • 好吧,off-topic 并不是一个正确的词,但我没有从近距离投票机制中获得好的选择。我想说的是,人们可能会发现那里比这里更容易回答。但是,我可能错了;)
  • 感谢@gsamaras 解决这个问题。我可以删除 ubuntu 标签,我只是不确定不同 Linux 发行版上的权限是否相同。我已将其直接发布在 GitLabs 网站上,但希望可能有更广泛的受众会有所帮助。

标签: nginx gitlab plesk gitlab-omnibus


【解决方案1】:

同样的问题也发生在我的服务器上。我通过编辑 /etc/gitlab/gitlab.rc 解决了

    # my nginx run with user nginx.
    web_server['external_users'] = ['nginx']
    web_server['username'] = 'nginx'
    web_server['group'] = 'nginx'
    web_server['uid'] = 994 
    web_server['gid'] = 991 
    web_server['shell'] = '/bin/false'                                                                                                                                                                                  
    web_server['home'] = '/var/lib/nginx'

第一次我只是添加 web_server['external_users'] = ['nginx'] 但在我添加所有这些之前它仍然无法正常工作。希望对您有所帮助。

【讨论】:

    【解决方案2】:

    遇到过类似的问题,日志明确提示权限问题。

    在来自 Gitlab 的 NGINX 配置文档的末尾,http://doc.gitlab.com/omnibus/settings/nginx.html 它提供了所需的权限设置。
    sudo usermod -aG gitlab-www www-data 重新启动服务后,它按预期工作。

    【讨论】:

    • +1 - 重启 nginx 在这里很关键。这是我错过的一步。我已经修复了我的权限,但对于为什么它不起作用而摸不着头脑。
    • 或在 Plesk 17.5 Onxy 下使用 Centos 7.11 usermod -aG gitlab-www nginx
    【解决方案3】:

    奇怪的是,我的/etc/nginx/nginx.conf 文件中没有定义用户,这导致了你提到的问题。

    所以我在/etc/nginx/nginx.conf 文件中添加了这一行:

    user www-data;
    

    然后我运行了这个命令:

    sudo usermod -aG gitlab-www www-data
    

    我重新启动了 Nginx (sudo service nginx restart),一切正常。

    【讨论】:

    • +1 - 重启 nginx 在这里很关键。这是我错过的一步。我已经修复了我的权限,但对于为什么它不起作用而摸不着头脑。
    猜你喜欢
    • 2022-11-13
    • 2011-02-10
    • 2012-09-06
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多