Gitlab-workhorse socket nginx 需要什么权限?
What permissions does nginx need for the Gitlab-workhorse socket?
我一整天都在努力解决这个问题。我是 运行 GitLab 在 Ubuntu 14.04 上的综合安装,使用现有的 nginx 安装。我可以登录、创建项目、问题等,但我不能 push/pull,从外部(不是通过 web gui)克隆或任何东西到项目。一个问题...我在这台服务器上 运行 Plesk 12.5。这是一些输出:
nginx 报告错误:
2016/02/10 16:00:50 [crit] 24866#0: *53 connect() to unix://var/opt/gitlab/gitlab-workhorse/socket
failed (13: Permission denied) while connecting to upstream, client: XXX.XXX.X.X,
server: git.example.com,
request: "GET /namespace/project-name.git/info/refs?service=git-upload-pack HTTP/1.1",
upstream: "http://unix://var/opt/gitlab/gitlab-workhorse/socket:/namespace/project-name.git/info/refs?service=git-upload-pack", host: "git.example.com"
主力套接字的权限:
srwxrwxrwx 1 git git 0 Feb 2 18:40 socket
我尝试将所有者更改为 nginx (www-data
) 并将组更改为 gitlab-www 但没有成功。我没有使用任何不同的目录....只是不确定从这里去哪里。我很接近得到这个 运行 但感觉还很远!!
Gitlab:check(是的,IMAP 设置中有一个错误,但我不认为这是相关的???)
Checking GitLab Shell ...
GitLab Shell version >= 2.6.10 ? ... OK (2.6.10)
Repo base directory exists? ... yes
Repo base directory is a symlink? ... no
Repo base owned by git:git? ... yes
Repo base access is drwxrws---? ... yes
hooks directories in repos are links: ...
[... project checks all ok ...]
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Check directories and files:
/var/opt/gitlab/git-data/repositories: OK
/var/opt/gitlab/.ssh/authorized_keys: OK
Test redis-cli executable: redis-cli 2.8.21
Send ping to redis server: PONG
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Reply by email ...
Address formatted correctly? ... yes
IMAP server credentials are correct? ... no
Try fixing it:
Check that the information in config/gitlab.yml is correct
For more information see:
doc/incoming_email/README.md
Please fix the error above and rerun the checks.
Init.d configured correctly? ... skipped (omnibus-gitlab has no init script)
MailRoom running? ... can't check because of previous errors
Checking Reply by email ... Finished
Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured with autocrlf=input? ... yes
Database config exists? ... yes
Database is SQLite ... no
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ...
[... project checks all yes ...]
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.1.8)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 1.7.10 ? ... yes (2.6.2)
Active users: 4
Checking GitLab ... Finished
这是虚拟主机的 nginx 配置:
location /uploads/ {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass https://gitlab;
}
location @gitlab {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
#proxy_pass http://gitlab;
# Returns 502 error if not changed to localhost
proxy_pass http://localhost:8080;
}
location ~ ^/[\w\.-]+/[\w\.-]+/gitlab-lfs/objects {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ ^/api/v3/projects/.*/repository/archive {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ ^/[\w\.-]+/[\w\.-]+/builds/download {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ /ci/api/v1/builds/[0-9]+/artifacts {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location @gitlab-workhorse {
client_max_body_size 0;
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;
# proxy_read_timeout 300;
# proxy_connect_timeout 300;
# proxy_redirect off;
proxy_buffering off;
# The following settings only work with NGINX 1.7.11 or newer
#
# # Pass chunked request bodies to gitlab-workhorse as-is
#proxy_request_buffering off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
location ~ ^/(assets)/ {
root /opt/gitlab/embedded/service/gitlab-rails/public;
gzip_static on; # to serve pre-gzipped version
expires max;
add_header Cache-Control public;
}
location ~ / {
root /opt/gitlab/embedded/service/gitlab-rails/public;
try_files $uri $uri/index.html $uri.html @gitlab;
}
error_page 502 /502.html;
最后,这是虚拟主机在服务器块级别的配置:
upstream gitlab {
server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket fail_timeout=0;
}
upstream gitlab-workhorse {
server unix://var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}
查看 https://github.com/gitlabhq/omnibus-gitlab/blob/master/doc/settings/nginx.md 上的文档,我看到了这条注释,但它没有指定权限应该是什么:
*Note: make sure that the webserver user has the correct permissions on all directories used by external web-server, otherwise you will receive failed (XX: Permission denied) while reading upstream errors.
任何指导将不胜感激。
我的服务器也出现了同样的问题。我通过编辑 /etc/gitlab/gitlab.rc
解决了
# my nginx run with user nginx.
web_server['external_users'] = ['nginx']
web_server['username'] = 'nginx'
web_server['group'] = 'nginx'
web_server['uid'] = 994
web_server['gid'] = 991
web_server['shell'] = '/bin/false'
web_server['home'] = '/var/lib/nginx'
第一次我只是添加 web_server['external_users'] = ['nginx'] 但在我添加所有这些之前它仍然不起作用。希望对您有所帮助。
遇到过类似的问题,日志中明确提示权限问题。
在 Gitlab 的 NGINX 配置文档的最后,http://doc.gitlab.com/omnibus/settings/nginx.html 它提供了所需的权限设置。
sudo usermod -aG gitlab-www www-data
重新启动服务后,它按预期工作。
St运行gely 在我的 /etc/nginx/nginx.conf
文件中没有定义用户,这导致了您提到的问题。
所以我在 /etc/nginx/nginx.conf
文件中添加了这一行:
user www-data;
然后我 运行 这个命令:
sudo usermod -aG gitlab-www www-data
我重新启动了 Nginx (sudo service nginx restart
),一切正常。
我一整天都在努力解决这个问题。我是 运行 GitLab 在 Ubuntu 14.04 上的综合安装,使用现有的 nginx 安装。我可以登录、创建项目、问题等,但我不能 push/pull,从外部(不是通过 web gui)克隆或任何东西到项目。一个问题...我在这台服务器上 运行 Plesk 12.5。这是一些输出:
nginx 报告错误:
2016/02/10 16:00:50 [crit] 24866#0: *53 connect() to unix://var/opt/gitlab/gitlab-workhorse/socket
failed (13: Permission denied) while connecting to upstream, client: XXX.XXX.X.X,
server: git.example.com,
request: "GET /namespace/project-name.git/info/refs?service=git-upload-pack HTTP/1.1",
upstream: "http://unix://var/opt/gitlab/gitlab-workhorse/socket:/namespace/project-name.git/info/refs?service=git-upload-pack", host: "git.example.com"
主力套接字的权限:
srwxrwxrwx 1 git git 0 Feb 2 18:40 socket
我尝试将所有者更改为 nginx (www-data
) 并将组更改为 gitlab-www 但没有成功。我没有使用任何不同的目录....只是不确定从这里去哪里。我很接近得到这个 运行 但感觉还很远!!
Gitlab:check(是的,IMAP 设置中有一个错误,但我不认为这是相关的???)
Checking GitLab Shell ...
GitLab Shell version >= 2.6.10 ? ... OK (2.6.10)
Repo base directory exists? ... yes
Repo base directory is a symlink? ... no
Repo base owned by git:git? ... yes
Repo base access is drwxrws---? ... yes
hooks directories in repos are links: ...
[... project checks all ok ...]
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Check directories and files:
/var/opt/gitlab/git-data/repositories: OK
/var/opt/gitlab/.ssh/authorized_keys: OK
Test redis-cli executable: redis-cli 2.8.21
Send ping to redis server: PONG
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Reply by email ...
Address formatted correctly? ... yes
IMAP server credentials are correct? ... no
Try fixing it:
Check that the information in config/gitlab.yml is correct
For more information see:
doc/incoming_email/README.md
Please fix the error above and rerun the checks.
Init.d configured correctly? ... skipped (omnibus-gitlab has no init script)
MailRoom running? ... can't check because of previous errors
Checking Reply by email ... Finished
Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured with autocrlf=input? ... yes
Database config exists? ... yes
Database is SQLite ... no
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ...
[... project checks all yes ...]
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.1.8)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 1.7.10 ? ... yes (2.6.2)
Active users: 4
Checking GitLab ... Finished
这是虚拟主机的 nginx 配置:
location /uploads/ {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass https://gitlab;
}
location @gitlab {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
#proxy_pass http://gitlab;
# Returns 502 error if not changed to localhost
proxy_pass http://localhost:8080;
}
location ~ ^/[\w\.-]+/[\w\.-]+/gitlab-lfs/objects {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ ^/api/v3/projects/.*/repository/archive {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ ^/[\w\.-]+/[\w\.-]+/builds/download {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location ~ /ci/api/v1/builds/[0-9]+/artifacts {
client_max_body_size 0;
error_page 418 = @gitlab-workhorse;
return 418;
}
location @gitlab-workhorse {
client_max_body_size 0;
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;
# proxy_read_timeout 300;
# proxy_connect_timeout 300;
# proxy_redirect off;
proxy_buffering off;
# The following settings only work with NGINX 1.7.11 or newer
#
# # Pass chunked request bodies to gitlab-workhorse as-is
#proxy_request_buffering off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
location ~ ^/(assets)/ {
root /opt/gitlab/embedded/service/gitlab-rails/public;
gzip_static on; # to serve pre-gzipped version
expires max;
add_header Cache-Control public;
}
location ~ / {
root /opt/gitlab/embedded/service/gitlab-rails/public;
try_files $uri $uri/index.html $uri.html @gitlab;
}
error_page 502 /502.html;
最后,这是虚拟主机在服务器块级别的配置:
upstream gitlab {
server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket fail_timeout=0;
}
upstream gitlab-workhorse {
server unix://var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}
查看 https://github.com/gitlabhq/omnibus-gitlab/blob/master/doc/settings/nginx.md 上的文档,我看到了这条注释,但它没有指定权限应该是什么:
*Note: make sure that the webserver user has the correct permissions on all directories used by external web-server, otherwise you will receive failed (XX: Permission denied) while reading upstream errors.
任何指导将不胜感激。
我的服务器也出现了同样的问题。我通过编辑 /etc/gitlab/gitlab.rc
解决了 # my nginx run with user nginx.
web_server['external_users'] = ['nginx']
web_server['username'] = 'nginx'
web_server['group'] = 'nginx'
web_server['uid'] = 994
web_server['gid'] = 991
web_server['shell'] = '/bin/false'
web_server['home'] = '/var/lib/nginx'
第一次我只是添加 web_server['external_users'] = ['nginx'] 但在我添加所有这些之前它仍然不起作用。希望对您有所帮助。
遇到过类似的问题,日志中明确提示权限问题。
在 Gitlab 的 NGINX 配置文档的最后,http://doc.gitlab.com/omnibus/settings/nginx.html 它提供了所需的权限设置。
sudo usermod -aG gitlab-www www-data
重新启动服务后,它按预期工作。
St运行gely 在我的 /etc/nginx/nginx.conf
文件中没有定义用户,这导致了您提到的问题。
所以我在 /etc/nginx/nginx.conf
文件中添加了这一行:
user www-data;
然后我 运行 这个命令:
sudo usermod -aG gitlab-www www-data
我重新启动了 Nginx (sudo service nginx restart
),一切正常。