-
-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gitea cannot start with a read-only config #5704
Comments
The secret is exactly 32 characters encoded in base64, and it works perfectly if I switch the image to 1.6 |
I think my issue is related. gitea/gitea:latest broke my install, apparently when it cannot migrate, because it is getting "permission denied", eventhough the app.ini file is owned by user git (as it should be). The log keeps showing this repeatedly.
Everything works fine when I revert to tag 1.6. EDIT: Take that back...on one of my installs, even with 1.6 the installation is hosed (same repeated messages as above). What is going on?? |
I'm currently running with LFS disabled and it does indeed work (as someone already mentioned): https://git.captnemo.in/nemo/nebula/commit/18164d175e38ea6383462b2eb870c82d21f84f2c But if you are using LFS and have a secret already in your config, 1.7 breaks your config and overwrites it. |
In my case, setting LFS off does nothing. The install is still broken. Seems mine is unrelated in the sense that it doesn't relate to LFS. Opened #5708 . |
Hmm... is this still broken since this commit: 9e9d1b8 ? |
Tested against |
Cool. Sorry about that. We need to add an integration test that takes a Gitea db from the minimal version and a few choice other versions and migrates it. That way we'll know if there's an issue in migration quicker. This would be a quick pr I think. |
Unfortunately :latest docker image from 14.01.2019 still is broken with the permission denied error on the app.ini for me. Reverting to 1.6 makes it run still fine. Is there something like a "stable" channel? |
I double checked after your comment, and switching to |
Not sure what is happening with your setup, but I have Please pardon my ignorance, but where is |
It gets rendered in via terraform: https://git.captnemo.in/nemo/nebula/src/branch/master/gitea/data.tf#L13-L23, which uploads it as a file inside the container. I'll try to switch LFS back on and see if I can get an error code or some logs out it tomorrow. |
Might I add that I am running the stack on my server with docker-compose as root. I do not know if this matters, but I have never tried any other way to do with docker-compose. Obviously, inside the container, the user that runs the app is the default ( |
Okay, now my setup is borked in the same way as @bkraul
Keeps on repeating the same logs. Switching on debug logs does give some information:
Edit: This looks like a known issue: #5759 Will close this issue once I can get past that. |
@captn3m0, workaround explained in #5681 . Basically, you connect to the MySQL/MariaDB DB and set the theme column in the user table for all the users as After setting that up, everything worked fine with the latest version. |
My nemesis was #5759 (I made the Finally fixed it by running all the sqlite commands in migrations/78 manually and bumping the version to 79. |
Turned back |
Does your app.ini still have: Rather than an actual jws secret in it? |
No it doesn't. It gets rendered by Terraform, so gitea gets the actual secret:
Right now set to false to keep the server running. The server is up at https://git.captnemo.in, happy to give you temporary admin access if you signup. |
So, in your testing if LFS is set to true, do you get anything in the logs? I'm just asking so that it's easier to look for the misbehaving code. |
Ah sorry just noticed the above |
I've switched to log level Trace, but it doesn't get me anything more.
|
@captn3m0 how about |
Ok there's two places that error is printed:
Line 986 can only be reached if INTERNAL_SECRET is empty and stopping LFS would have no effect on that. Line 947 is therefore the culprit. This can only be reached depending on the results of gitea/modules/setting/setting.go Line 923 in 1bb22b2
n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64)) If Ok are you sure that base64 URLDecoded your LFS value is 32 and that it's valid? |
I'd gotten to the same root cause, and mentioned this above:
|
|
Actually looking at that file I'm not sure that I see |
The Edit: A possible cause is that the
Edit2: @zeripath Re-read your earlier comment and I can understand what you mean now. |
I'm not at a dev box. Are you able to diff |
@typeless he doesn't want Gitea to write to that file, and for some reason it is despite having a good config that should mean it doesn't need to write to the file. Primarily Gitea is writing to app.ini because it can't find a valid jwt token for LFS but there is one in the app.ini. |
OK, so I've looked at this again. Looking at sec = Cfg.Section("server")
if err = sec.MapTo(&LFS); err != nil {
log.Fatal(4, "Failed to map LFS settings: %v", err)
}
LFS.ContentPath = sec.Key("LFS_CONTENT_PATH").MustString(filepath.Join(AppDataPath, "lfs"))
if !filepath.IsAbs(LFS.ContentPath) {
LFS.ContentPath = filepath.Join(AppWorkPath, LFS.ContentPath)
}
LFS.HTTPAuthExpiry = sec.Key("LFS_HTTP_AUTH_EXPIRY").MustDuration(20 * time.Minute) Now the So I think we're back to the original: n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64))
Basically your JWT secret is not correct. Now that code hasn't changed so I don't understand why it was working for you on 1.6 How can we work around this?I suggest you regenerate a JWT Secret and see if that fixes your problem. If it does - then you can post your old JWT secret and we can test it or you can use the playground I've put in here to test your secret: |
Thanks a lot for sticking with me on this. Looks like my secret is incorrect after all. I think I screwed up when I made the check last time and checked some other secret. I'll file a PR for the documentation, it needs to mention base64 (and how to generate a valid secret) However, I'm unable to still generate a valid secret that decodes to 32 bytes. I've tried
|
It's not just base64 it's RawURLencoded base64 |
I tried generating it with go: https://play.golang.org/p/VeLnNm8piDY Still can't get it to work. |
I still have the issue with "latest" which is <1 hour old. I create the config as kubernetes ConfigMap, so it's read-only. In my logs I see lots of
The secret I set (for testing purpose, not my actual secret) is LFS_JWT_SECRET = ZbVOMOq1jKet3XH2UvIS1gTB4C-nVz2dJCIR37J61wQ I have reviewed the current master code and tried to reproduce that: https://play.golang.org/p/RT4Sn4KOusH - on that test it seems to work properly. |
Update: Figured out that it was the "INTERNAL_TOKEN", not the LFS token it tried to write. |
I ended up in mounting the config at a different location and copy it on container startup. |
A possible option to solve this issue would be to put the secrets into a different file (secrets.ini). |
After you fill all the necessary items, it should be read-only. Otherwise, you have to fill even database config items. |
I hit the same problem while trying to deploy gitea with ansible with a read-only
|
- Install the Gitea self-hosted git service https://gitea.io/ - Install gitea from precompiled binary - enable gitea role in playbook - transmission: remove tasks for stopping/starting the service during setup, restart it in a handler - start renaming apache2 role to apache - add gitea config variables and main config file - add gitea systemd service - add role readme and metadata - add apache2 reverseproxy configuration for gitea - set gitea port to 3000, allow git-http interaction - disable gitea's internal ssh server - create gitea user account - workaround limitation of ansibl unarchive modules (can only extract .tar.xz, not .xz) - rename 'update apache2 homepage' handler to 'update webserver homepage' - add automatic password generation for gitea secrets - remove generation of JWT secret key, blocked by go-gitea/gitea#5704
You can visit https://docs.gitea.io/en-us/command-line/ and find |
Gitea is now running properly with a read-only config file for me. Indeed the solution was to generate |
So let's close this issue. Please feel free to reopen it. |
I submitted #6348 to document this a bit more. |
A recent release enable Either disable |
[x]
):Description
Running with the exact same configuration and on 1.6 latest docker image does not give this error.
The configuration file does have the following lines:
The text was updated successfully, but these errors were encountered: